Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

custom alert condtion for search query

sarkanth12
New Member
‎02-19-2013 11:30 AM 
sourcetype="access_combined_wcookie" uri_path="/en/US/*" OR uri_path="/web/fw/*" OR uri_path="/assets/*" dc="ALLN"
| chart count(uri_path) as Allen_hits
| join allen_id  [ search 
   host="cdcxweb-prod*" sourcetype="access_combined_wcookie" uri_path="/en/US/*" OR uri_path="/web/fw/*" 
   OR uri_path="/assets/*" dc="RCDN"
   | chart count(uri_path) as Rcdn_hits ] 
| join total_id [ search 
   host="cdcxweb-prod*" sourcetype="access_combined_wcookie" uri_path="/en/US/*" OR uri_path="/web/fw/*" 
   OR uri_path="/assets/*" 
   | chart count(uri_path) as Total_hits ]
| eval AllenPercentage=(Allen_hits/Total_hits)*100 
| eval RcdnPercentage=(Rcdn_hits/Total_hits)*100
| eval SLA_STATUS=case(RcdnPercentage>80 AND AllenPercentage<20,1234)
| table Allen_hits Rcdn_hits Total_hits AllenPercentage RcdnPercentage SLA_STATUS

I have created custom alert condition as below, but still am not getting alert and email.

search SLA_STATUS = 1234

pls help me on this one.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎02-20-2013 08:04 PM

In the original searches, you join the results of the second search to the first search using allen_id. For the following join, you use total_id.

But I can't see how these joins could possibly work, as the second and third searches do not return fields named allen_id or total_id.

Also, your two subsearches are running over All Time - not just the search range that you chose for the outer search. Did you intend to do that?

0 Karma
Reply

sarkanth12
New Member
‎02-20-2013 02:26 PM

thanks for your help. I did individual searches and getting results as expected and also entire search return the o/p as follow.

Allen_hits Rcdn_hits Total_hits AllenPercentage RcdnPercentage SLA_STATUS
0 416326 473875 0 87.855658 1234

as you suggested ,
I ran the below search query and getting only Allen and Rcdn vlaues and not getting OTH_cdcxweb values
sourcetype="access_combined_wcookie"
(uri_path="/en/US/" OR uri_path="/web/fw/" OR uri_path="/assets/")
(dc="ALLN" OR host="cdcxweb-prod")
| eval series=case(dc=="ALLN","Allen",
dc=="RCDN" AND host="cdcxweb-prod*","Rcdn",
host=="cdcxweb-prod*","OTH_cdcxweb".
1==1,"Unknown")
| where series!="Unknown"
| chart count by series

0 Karma
Reply

lguinn2
Legend
‎02-19-2013 07:33 PM

First - do the individual searches (run separately) return any results?

Second - does the entire search return an SLA_STATUS=1234?
Third - what if you leave off the word search in the custom alert condition?

Finally, I think you could write a search that would run much faster:

sourcetype="access_combined_wcookie" 
(uri_path="/en/US/*" OR uri_path="/web/fw/*" OR uri_path="/assets/*") 
(dc="ALLN" OR host="cdcxweb-prod*")
| eval series=case(dc=="ALLN","Allen",
                   dc=="RCDN" AND host="cdcxweb-prod*","Rcdn",
                   host=="cdcxweb-prod*","OTH_cdcxweb".
                   1==1,"Unknown")
| where series!="Unknown"
| chart count by series 
| eval totalHits = Rcdn + OTH_cdcxweb
| eval AllenPercentage=(Allen/totalHits)*100 
| eval RcdnPercentage=(Rcdn/totalHits)*100
| eval SLA_STATUS=if(RcdnPercentage>80 AND AllenPercentage<20,1234)
| table Allen Rcdn totalHits AllenPercentage RcdnPercentage SLA_STATUS
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...